EdworkWelcome to Edwork! This site is a collection of my thoughts and projects I've worked on. Click 'Read More' to learn more about me or have a look at the information below!https://www.edwork.org/
Thu, 16 Nov 2017 15:07:29 -0800Thu, 16 Nov 2017 15:07:29 -0800Jekyll v3.6.2PfSense with HAProxy<p>I run a variety of homelab services as many of us do over at <a href="https://reddit.com/r/homelab">/r/homelab</a>, a handful of which are based around my <a href="https://plex.tv">Plex</a> server. For a while I was accessing my various services via their hostnames and port numbers, but I felt that was too pedestrian and decided to start using a reverse proxy. I’ve been running <a href="https://www.pfsense.org">PfSense</a> for quite some time now and have been aware of Squid Reverse, but after some flaky performance I switched over to using <a href="https://doc.pfsense.org/index.php/Haproxy_package">HAProxy</a>. Now all of my services can be accessed via presentable URLs like https://plex.edwork.org rather than http://plex.edwork.org:32400.</p>
<p><br />
HAProxy proxies anything served over HTTP from X number of web servers, matched via their <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">HTTP HOST Header</a>. DNS records point both <em>hostA.edwork.org</em> and <em>hostB.edwork.org</em> to the IP of HAProxy, and based on what I’ve configured host1 gets routed to server A and host2 gets routed to server B. In addition to this, any request that comes in on port 80 gets a <a href="https://en.wikipedia.org/wiki/HTTP_301">301 redirect</a> to the same URL, just with SSL tacked on to it. SSL offloading is great because we don’t have to configure certificates on each individual service, and as long as the link between HAProxy and your service is secure there’s no worry about insecure connections.</p>
<p><br />
Here’s how to get it set up in PfSense:</p>
<p><br />
<strong>Warning:</strong> This article assumes you have a somewhat familiar knowledge of IP Addressing, PfSense, HTTP, and DNS.</p>
<p><br />
First, you’ll want to configure your backend(s). Click ‘Add’ at the bottom of the list to get started. Assign it a name, address, and port:</p>
<p><br />
<img src="/assets/blog/backend.png" alt="backend-pic" /></p>
<p><br />
Leave the ‘balance’ at ‘none’ and change ‘Health Check Method’ to ‘Basic’. If you don’t set it to basic and leave it at HTTP, it may work but sometimes the detection is faulty and HAProxy will give you a 503 that the site is down - your results may vary.</p>
<p><br />
<img src="/assets/blog/balance.png" alt="loadbalance-pic" /></p>
<p><br />
<img src="/assets/blog/healthcheck.png" alt="healthcheck-pic" /></p>
<p><br />
Add as many backend services as you need, this may include your random webserver, sonarr, plex, radarr, couchpotato, you name it.</p>
<p><br />
Next, I find it best to create a Virtual IP for HAProxy to listen on. This way you can create custom rules around the Virtual IP rather than using your WAN or LAN interface. I created an IP: 10.101.101.101 with a /32 mask in order for it to be the only IP in the subnet, and made it an IP alias.
<img src="/assets/blog/pfsense-vip.png" alt="pfsense-vip" title="PfSense Virtual IP Configuration" /></p>
<p><br />
Once you’ve setup your Virtual IP, you’ll want to port forward both port 80 and 443</p>
<p><br />
Back to HAProxy, we’ll configure the Front End. I setup port 80 and 443 (be sure to check the SSL box) to listen on my Virtual IP. Give it a name, description, and set it to active. Keep the type as ‘http / https(offloading)’.</p>
<p><br />
<img src="/assets/blog/frontend.png" alt="frontend-pic" /></p>
<p><br />
Access Control Lists - you can do a bunch of stuff here, like restrict access based on client certificates which I may go into at a later date, but all we’re going to do here is do hostname matching. Create a new entry like the example below:</p>
<p><br />
<img src="/assets/blog/acl.png" alt="acl-pic" /></p>
<p><br />
Next we’ll create a matching Action for the ACL, like below:</p>
<p><br />
<img src="/assets/blog/action.png" alt="action-pic" /></p>
<p><br />
Under Advanced Settings I’ve checked the box to ‘Use forwardfor option’, set ‘use httpclose option’ to ‘http-keep-alive (default)’ and under Advanced Pass Thru put (only if you want to redirect http traffic to https):</p>
<figure class="highlight"><pre><code class="language-conf" data-lang="conf"><span class="n">redirect</span> <span class="n">scheme</span> <span class="n">https</span> <span class="n">code</span> <span class="m">301</span> <span class="n">if</span> !{ <span class="n">ssl_fc</span> }</code></pre></figure>
<p>SSL Offloading:</p>
<p><br />
If you’ve been opting in for SSL features this whole time you will need to have some certificates loaded into PfSense. You can do so under System &gt; Cert. Manager. HAProxy will match the right cert to the hostname of the requested URL.</p>
<p><br />
Last configure all hostnames to point to your IP alias. This way HAProxy handles all inbound requests and forwards them to their. If you’re using PfSense’s Unbound DNS resolver this is easy but unfortunetly is outside the scope of this article.</p>
<p><br />
Hope this helps someone, if you have any questions feel free to email me or message me on Hangouts: <a href="mailto:ed.boal@edwork.org">ed.boal@edwork.org</a></p>
Tue, 27 Jun 2017 19:15:45 -0700https://www.edwork.org/2017/06/27/pfsense-with-haproxy/
https://www.edwork.org/2017/06/27/pfsense-with-haproxy/blogMy PfSense Setup!<p>I’ve been using <a href="https://www.pfsense.org/">PfSense</a> since about 2008. I first started running it on an old junk Pentium III desktop that I threw 2 PCI NICs into giving me something much more capable than my Westell DSL modem combo. Together with a 16 port switch I got from Penn State’s <a href="http://surplus.psu.edu/">Lion Surplus</a> my family’s home network was upgraded.</p>
<p><br />
Today I’m still running PfSense and after several iterations of hacked together hardware (including a wall mounted version) I’ve finally purchased a dedicated appliance via eBay. I purchased a re-purposed Riverbed Steelhead (pictured below) which originally was a load balancer appliance. It’s got 2 usable NICs and 2 more that used to be failover ports which are seemingly locked down by the firmware (and on my ToDo list to unlock). So far it’s been much more friendly for power usage than my old inefficient PC style solutions.</p>
<p><br />
<img src="/assets/blog/riverbed-steelhead.png" alt="riverbed-image" title="Riverbed Steelhead Load Balancing Appliance" /></p>
<p><br />
Some people might call it overkill, but with the scale of homelab applications I’ve got running it’s necessary. At the moment I use:</p>
<ul>
<li>+IP Blocklists (China &amp; Russia)</li>
<li>+Snort (Passive ATM, collecting data to gather trends)</li>
<li>+DHCP</li>
<li>+DNS (with forwarders to my AD DNS zones)</li>
<li>+TFTP (for PXE booting)</li>
<li>+HAProxy (handles most inbound traffic requests)</li>
<li>+OpenVPN Server
<ul>
<li>+Mobile Clients</li>
<li>+Site-to-Site between my dad’s house</li>
</ul>
</li>
<li>+Bandwidth monitoring</li>
</ul>
<p><br />
So far those are the services that I have full in place, but that’s just the beginning. In the next few months I hope to have implemented <a href="https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)">CARP Redundancy</a> by adding a second virtualized PfSense instance, segmented VLANs, and increated intrusion detection complete with dashboards! Maybe throw in some <a href="https://www.ubnt.com/">Ubiquity</a> gear and I’ll be setup better than most small businesses ;)</p>
Sun, 02 Apr 2017 09:57:45 -0700https://www.edwork.org/2017/04/02/my-pfsense-setup/
https://www.edwork.org/2017/04/02/my-pfsense-setup/blogpfsensenetworksetupWelcome to the new Edwork!<p>Welcome!</p>
<p>You’ve made it to the new Edwork!</p>
<p><br />
I’ve ditched the Wordpress in favor of <a href="https://github.com/jekyll/jekyll">Jekyll!</a> Using Jekyll I can ditch the lack of security and complexity that a full CMS presents. Jekyll works by rendering static content out of Markdown and Liquid templates, so once the site is established simple markdown documents can be quickly rendered into good looking pages.</p>
<p><br />
In my case, I keep my website source in my <a href="https://git.edwork.org/explore">git repo</a> which after each commit I’m working to have CI Pipelines re-render the site and sync it back to the webserver. This way writing blog posts or updating site content can be done securely and quickly using almost any environment imaginable.</p>
Wed, 22 Mar 2017 01:15:45 -0700https://www.edwork.org/2017/03/22/welcome-to-edwork/
https://www.edwork.org/2017/03/22/welcome-to-edwork/blogjekyllwelcome